Channels

Services

Microsoft confirms IIS hole

Microsoft has confirmed the security hole in its IIS web server, but hasn't disclosed which versions of the product are affected. According to the finder of the "semi-colon bug", versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft's Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Although these conditions are not present in any standard installation, opinions about the risk levels vary considerably. Security firm Secunia considers the vulnerability a moderate threat. The Internet Storm Center has rated the problem critical and recommends that affected users take additional security precautions until a patch becomes available. An 8 basic rules plan compiled by the ISC is to assist with this task. In its first response to the vulnerability, Microsoft also suggested several links to instructions on how to ensure server security.